Regulation to Ensure Deletion of Personal Data Collected by oBike
Ministry of Digital Development and InformationSpeakers
Summary
This question concerns the deletion of personal data by oBike in compliance with the Personal Data Protection Act (PDPA). Miss Cheng Li Hui asked how authorities ensure data protection for one million members during the company's liquidation process. Minister S Iswaran explained that PDPA obligations continue during winding-up, requiring liquidators to protect and eventually expunge data that serves no legal or business purpose. He clarified that personal data cannot be sold as an asset without consent, though it may be transferred during a business sale if customers are properly notified. The Personal Data Protection Commission is monitoring oBike closely and will take necessary action to safeguard consumer interests.
Transcript
8 Miss Cheng Li Hui asked the Minister for Communications and Information how can the authorities ensure the deletion of personal data collected by oBike in compliance with the Personal Data Protection Act, especially since it claims to have around one million members.
Mr S Iswaran: oBike, like any other business in Singapore, is required to comply with the data protection obligations under the Personal Data Protection Act (PDPA). If a business has no legal or business purpose for the personal data in its possession or control, PDPA requires it to stop retaining such data.
PDPA continues to apply to a company undergoing liquidation. Where a liquidator is appointed, the liquidator will also have to ensure that the company undergoing liquidation continues to comply with PDPA. This includes the obligations to protect customer data during liquidation and expunging customer data at the end of the winding-up process if there is no legal or business purpose to retain it.
The personal data of customers in Singapore cannot be treated as assets and sold without their consent. In winding up a company, the company's liquidator may sell the whole or part of the company, its assets or business. If such a sale takes place, customer data that is directly relevant to the transaction may be transferred to the acquirer. However, under PDPA, customers must be notified that their personal data has been transferred. If customers do not wish for the acquiring company to use their personal data, they can approach the acquiring company to withdraw their consent, whereupon the acquiring company shall then delete the personal data once there is no legal or business purpose to retain it.
The Personal Data Protection Commission (PDPC) expects oBike and its liquidators to continue complying with PDPA even as it prepares to exit the market in Singapore. PDPC has reminded oBike of its obligations under the PDPA and is monitoring the situation closely. PDPC will not hesitate to take further action to safeguard consumers' interests if necessary.